b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   The Income Verification Express Services\n                    Program Needs Improvements to Better\n                        Protect Tax Return Information\n\n\n\n                                        January 26, 2011\n\n                              Reference Number: 2011-40-014\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                 HIGHLIGHTS\n\n\nTHE INCOME VERIFICATION EXPRESS                      information that could be used to commit identity\nSERVICES PROGRAM NEEDS                               theft. During the last two calendar years, the\nIMPROVEMENTS TO BETTER PROTECT                       IVES Program processed more than 10 million\nTAX RETURN INFORMATION                               requests annually.\n                                                     Nonetheless, the IRS does not have a screening\n                                                     process and does not define minimum\nHighlights                                           requirements in the form of a user agreement to\n                                                     help ensure IVES Program participants meet\nFinal Report issued on January 26, 2011              minimum standards and protect tax return\n                                                     information. To be eligible to receive large\nHighlights of Reference Number: 2011-40-014          quantities of taxpayer income information from\nto the Internal Revenue Service Commissioner         the IRS via the IVES Program, applicants simply\nfor the Wage and Investment Division.                must submit an IVES application and register for\n                                                     e-Services. In addition, the IRS does not require\nIMPACT ON TAXPAYERS                                  IVES Program participants to maintain electronic\nBorrowers cannot obtain loans unless they sign       security and not disclose the information they\na consent that allows the Internal Revenue           receive from the IRS to nonaffiliated third\nService (IRS) to disclose their nonpublic income     parties.\ninformation to their lenders. Lenders can obtain     WHAT TIGTA RECOMMENDED\nthis income information from the Income\nVerification Express Services (IVES) Program.        TIGTA recommended that the Commissioner,\nTaxpayers\xe2\x80\x99 personally identifiable information is    Wage and Investment Division, (1) develop and\nat risk of theft or misuse when taxpayers submit     enforce minimum requirements for the IVES\nIVES requests for tax return information through     Program; (2) update the IVES application to\nthird parties because controls are insufficient to   include a statement that taxpayer information\nensure taxpayer information the IRS provides to      can only be used for the purpose the taxpayer\nIVES Program participants is protected.              intended as well as ensuring the current version\n                                                     is provided to all applicants, is posted on\nWHY TIGTA DID THE AUDIT                              IRS.gov, and is the only version accepted;\nPersonally identifiable information, such as a       (3) within one year of revising the IVES\nSocial Security Number, is the most valuable         application, contact and obtain a completed\ntool an identity thief can obtain to commit          application from all current IVES Program\nfinancial fraud. It becomes even more valuable       participants; and (4) revise transcript request\nif it is linked to other personal data, such as      forms to allow taxpayers to limit lenders\xe2\x80\x99\nincome information used to prepare a tax return.     disclosure of their tax return information to\nThe IRS should be able to assure taxpayers that      nonaffiliated third parties only if it is in the course\nit is taking every precaution possible to protect    of processing or selling their loan.\ntheir personal information.                          The IRS agreed with our recommendations and\nThe overall objective of this review was to          plans to (1) explore minimum requirements for\nevaluate regulations and IVES enrollment             IVES participants; (2) revise the IVES\npolicies that ensure lenders, such as banks, and     application and ensure it provides the current\ncompanies that specialize in making third-party      version to all IVES applicants and on IRS.gov\nrequests for lenders (Income Verification            and only accepts the most current version from\nSpecialists) properly protect taxpayers\xe2\x80\x99 tax         applicants; (3) obtain a completed version of the\nreturn information.                                  new form from all IVES Program participants;\n                                                     and (4) develop the necessary language for\nWHAT TIGTA FOUND                                     transcript request forms to allow taxpayers to\n                                                     limit lenders\xe2\x80\x99 disclosure.\nIVES Program participants obtain and collect\nlarge quantities of taxpayers\xe2\x80\x99 personally\nidentifiable information and associated tax return\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           January 26, 2011\n\n\n MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Income Verification Express Services\n                             Program Needs Improvements to Better Protect Tax Return\n                             Information (Audit # 201040043)\n\n This report presents the results of our review to evaluate regulations and Income Verification\n Express Services (IVES) enrollment policies that ensure lenders, such as banks, and companies\n that specialize in making third-party requests for lenders (Income Verification Specialists)\n properly protect taxpayers\xe2\x80\x99 tax return information. This audit is included in our Fiscal Year 2011\n Annual Audit Plan and addresses the major management challenge of Taxpayer Protection and\n Rights.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. Please contact me at (202) 622-6510 if you have questions or\n Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account\n Services), at (202) 622-5916.\n\x0c                           The Income Verification Express Services Program Needs\n                            Improvements to Better Protect Tax Return Information\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 6\n          Controls Over the Income Verification Express Services\n          Program Need Strengthening to Protect Tax Return\n          Information From Disclosure ........................................................................ Page 6\n                    Recommendations 1 through 4:......................................... Page 12\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 13\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 16\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 17\n\x0c         The Income Verification Express Services Program Needs\n          Improvements to Better Protect Tax Return Information\n\n\n\n\n                       Abbreviations\n\nCBSV            Consent-Based Social Security Number Verification\ne-file          electronic file\nIRS             Internal Revenue Service\nIVES            Income Verification Express Services\n\x0c                       The Income Verification Express Services Program Needs\n                        Improvements to Better Protect Tax Return Information\n\n\n\n\n                                            Background\n\nPersonally identifiable information, such as a Social Security Number, is the most valuable tool\nan identity thief can obtain to commit financial fraud. It becomes even more valuable if it is\nlinked to other personal data, such as income information used to prepare a tax return. More\nthan 142 million taxpayers entrust the Internal Revenue Service (IRS) with sensitive financial\nand personal data, much of it on paper documents requiring protection. The law requires that tax\nreturns and return information shall be confidential, except as authorized. The definition of tax\nreturn information includes a taxpayer\xe2\x80\x99s identity and the nature, source, or amount of income,\npayments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, and\ntax withheld.\nTaxpayers commonly request tax return transcripts1 for many reasons, which include verifying\nincome to obtain a loan. They can order the transcripts directly from the IRS or others can order\nthe transcripts on the taxpayer\xe2\x80\x99s behalf. Lenders, Income Verification Specialists,2 and other\nentities verify income information on behalf of a taxpayer through the IRS\xe2\x80\x99s Income Verification\nExpress Services (IVES) Program.\nLenders that loan money to individuals (borrowers) for mortgages require borrowers to verify\ntheir income before they approve their loans.3 This is accomplished by the borrower signing a\nconsent form that allows the lender to obtain a transcript of the borrower\xe2\x80\x99s tax information\ndirectly from the IRS.\nFor lenders to obtain transcripts, borrowers complete and provide the lender with either a\ncompleted Request for Transcript of Tax Return (Form 4506-T) or a Short Form Request\nfor Individual Tax\nReturn Transcript\n(Form 4506T-EZ). The\nrequest must include the\nname, address, and\ntelephone number of the third party to whom the IRS should send the income information\xe2\x80\x94\ntypically, the lender or an Income Verification Specialist.\nA signed Form 4506-T or 4506T-EZ must be submitted to the IRS within 120 days of the\nborrower\xe2\x80\x99s signature date. To obtain updated information, lenders should ask borrowers to\n\n1\n  Transcripts provide most of the information contained in a tax return.\n2\n  An Income Verification Specialist is a company that specializes in obtaining income information about individuals.\nLenders often use them to verify the income of loan applicants.\n3\n  Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub.L. No. 111-203, 124 Stat. 2143, enacted\nJuly 21, 2010.\n                                                                                                            Page 1\n\x0c                       The Income Verification Express Services Program Needs\n                        Improvements to Better Protect Tax Return Information\n\n\n\ncomplete and sign a new request form. In the past, to avoid this burden, lenders asked borrowers\nto sign blank request forms when applying for loans. In response, the IRS added a statement to\nthe top of Form 4506-T instructing borrowers to not sign the form unless all applicable lines\nhave been completed; however, the latest revision does not contain that statement.\nLenders that enroll in the IRS e-Services4 Program can use the IVES Program to fax bulk\nrequests (Forms 4506-T and 4506T-EZ) to one of the five IRS Return and Income Verification\nServices units.5 The Return and Income Verification Services units use the Transcript Delivery\nSystem6 to deliver tax return transcripts electronically to IVES participants\xe2\x80\x99 secure mailboxes\n(Secure Object Depository) located on the e-Services electronic platform. Lenders also contract\nwith Income Verification Specialists to order and obtain the transcripts for them.\nThe IVES Program automates bulk requests received from businesses that routinely submit a\nhigh volume of requests as part of their business operations (e.g., large mortgage or income\nverification companies). The IVES Program generally delivers transcripts to requestors within\n2 business days. Participants retrieve their transcripts from a secure mailbox. During the last\n2 calendar years, the IVES Program processed more than 10 million requests annually. It\ncurrently charges $2.25 for each request.\n\nIRS e-Services and the IVES Program\nLenders and Income Verification Specialists must apply to the IRS\xe2\x80\x99s e-Services and to the IVES\nProgram to request bulk transcripts.\n    \xe2\x80\xa2    To register for e-Services, applicants must provide their legal name, Social Security\n         Number, date of birth, telephone number, home and email address, and the Adjusted\n         Gross Income from either the applicant\xe2\x80\x99s current year or prior year filed tax return.\n    \xe2\x80\xa2    To register for the IVES Program, each participating company must complete an IVES\n         Application (Form 13803). Form 13803 requests basic information about the business,\n         including name, address, telephone number, and fax number. It also requires the name of\n         the principal owner or controlling officer of the company. The principal can be the\n         owner, business manager, or officer who has the responsibility to administer the\n         company\xe2\x80\x99s participation in the IVES Program. The form also asks for a primary point of\n         contact that would be available on a daily basis in case the IRS needs to contact the\n\n\n4\n  A suite of web-based products that allows tax professionals and taxpayers to conduct business with the IRS\nelectronically. These services are available 24 hours a day, 7 days a week, via the Internet.\n5\n  The five Return and Income Verification Service units with Income Verification Express Services are located in\nFresno, California; Kansas City, Missouri; Cincinnati, Ohio; Austin, Texas; and Ogden, Utah.\n6\n  The Transcript Delivery System automates the validation, processing, and delivery of taxpayer information to\ntaxpayers or authorized third parties. The Transcript Delivery System can be accessed by IRS employees and\nincludes self-service electronic communication, whereby the user can request and receive a transcript interactively\nthrough the e-Services portal.\n                                                                                                             Page 2\n\x0c                        The Income Verification Express Services Program Needs\n                         Improvements to Better Protect Tax Return Information\n\n\n\n           company. Finally, it asks for a Responsible Official, or the person who manages the\n           IVES Program at each business office location. The company can choose to designate a\n           Responsible Official or just a principal to oversee the process.\nOnce accepted into the IVES Program, participants can submit completed Forms 4506-T or\n4506T-EZ to confirm the income of taxpayers.\n\nLaws and regulations\nVarious laws address how third parties may disclose taxpayer information they obtain from the\nIRS. Title V of the Gramm-Leach-Bliley Act7 specifically addresses disclosure and security laws\nfor lenders and Income Verification Specialists working for lenders.\nThe Gramm-Leach-Bliley Act contains restrictive\nprivacy provisions relating to borrowers\xe2\x80\x99 income\n                                                                       Exceptions to the\ninformation; however, lenders may still share taxpayers\xe2\x80\x99         Gramm-Leach-Bliley Act allow\nincome information with third parties when they obtain           lenders to disclose borrowers\xe2\x80\x99\nit while servicing or processing a financial product or           personal income information\nservice that an individual requests (such as a mortgage          with nonaffiliated third parties.\nloan). For example, lenders may disclose income\ninformation to nonaffiliated third parties in the course of\nselling a loan on the secondary market without giving notice to the borrower or allowing them to\n\xe2\x80\x9copt out.\xe2\x80\x9d Lenders may also disclose income information to any third party (such as marketers)\nif the borrower does not specifically instruct the lender not to do so by \xe2\x80\x9copting out.\xe2\x80\x9d Lenders\nmust provide notices to their customers and consumers about their information-collection and\ninformation-sharing practices and give them the option to \xe2\x80\x9copt out.\xe2\x80\x9d Figure 1 provides a list of\nthe various laws and regulations on disclosure of taxpayer information.\n                            Figure 1: Laws and Regulations Regarding\n                                Disclosure of Taxpayer Information\n\nGramm-Leach-Bliley Act            Title V of the Act restricts how lending institutions may share borrowers\xe2\x80\x99\n                                  income information, including income information received from the IRS;\n                                  however, lenders may still share taxpayers\xe2\x80\x99 income information with\n                                  third parties in connection with servicing or processing a financial product\n                                  or service that an individual requests (such as a mortgage loan).\n                                  Such institutions must develop and give notice of their privacy policies to\n                                  their own customers and/or consumers before disclosing any individual\'s\n                                  nonpublic personal information (which includes personal financial\n                                  information to nonaffiliated third parties, thus giving notice and an\n                                  opportunity for that individual to "opt out" from such disclosure. This notice\n                                  must be provided at least annually.\n\n\n7\n    Pub. L. No. 106-102, 113 Stat. 1338, enacted November 12, 1999.\n                                                                                                         Page 3\n\x0c                         The Income Verification Express Services Program Needs\n                          Improvements to Better Protect Tax Return Information\n\n\n\n\n                                Lenders may also disclose income information to nonaffiliated third parties\n                                in the course of selling a loan on the secondary market without giving\n                                notice to the borrower or allowing them to \xe2\x80\x9copt out.\xe2\x80\x9d\n\nInternal Revenue Code           Tax return information is confidential and no officer or Federal employee\nSection 6103                    should disclose tax return information except as authorized.\n                                Section 6103(c) authorizes the Treasury Secretary to prescribe\n                                requirements and conditions that would allow officers and Federal\n                                employees to disclose tax return information to persons the taxpayer\n                                designates in a request for or consent to such disclosure.\nInternal Revenue Code           Section 7216 applies to any person who is engaged in the business of\nSection 7216                    preparing, or providing services in connection with the preparation of, tax\n                                returns for compensation. Any such person who knowingly or recklessly\n                                discloses any information furnished to him or her for, or in connection with,\n                                the preparation of any such tax return, or uses any such information for\n                                any purpose other than to prepare, or assist in preparing, any such return,\n                                shall be guilty of a misdemeanor.\nPrivacy Act of 19748            With specifically mentioned exceptions, no agency shall disclose any\n                                record which is contained in a system of records,9 except pursuant to a\n                                written request by, or with the prior written consent of, the individual to\n                                whom the record pertains.\n                                Agencies with systems of records (for example, taxpayer information) must\n                                establish appropriate administrative, technical, and physical safeguards to\n                                ensure the information contained in the records remains secure and\n                                confidential. This includes protecting the information against threats or\n                                hazards which could result in substantial harm, embarrassment,\n                                inconvenience, or unfairness to any individual on whom the agency\n                                maintains information.\n                                In addition, each agency shall keep an accurate accounting of the date,\n                                nature, and purpose of each disclosure to any person or agency, as well\n                                as the name and address of the person or agency to whom disclosure is\n                                made.\nSource: Laws as cited.\n\nThis review was performed at the Wage and Investment Division Headquarters in Atlanta, Georgia,\nand the Return and Income Verification Services unit in Kansas City, Missouri, during the period\nJune through October 2010. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\n\n8\n  5 U.S.C. \xc2\xa7 552a (2006).\n9\n  The Privacy Act defines a system of records as a group of any records under the control of any agency from which\ninformation is retrieved by the name of the individual or by some identifying number, symbol, or other identifying\nparticular assigned to the individual.\n                                                                                                          Page 4\n\x0c                   The Income Verification Express Services Program Needs\n                    Improvements to Better Protect Tax Return Information\n\n\n\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our finding and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                       Page 5\n\x0c                       The Income Verification Express Services Program Needs\n                        Improvements to Better Protect Tax Return Information\n\n\n\n\n                                       Results of Review\n\nControls Over the Income Verification Express Services Program\nNeed Strengthening to Protect Tax Return Information From\nDisclosure\nTaxpayer information is at risk of theft or misuse when taxpayers submit requests for tax return\ninformation through third parties because controls are insufficient to ensure taxpayer information\nthe IRS provides to IVES Program participants is protected. Laws and regulations that protect\ntaxpayer information do not always cover IVES Program participants.\n     \xe2\x80\xa2   IVES Program participants are not required to meet any minimum standards or similar\n         standards the IRS established for Electronic File (e-file) Providers10 and contractors.\n     \xe2\x80\xa2   The IRS does not require that IVES Program participants agree to maintain electronic\n         security and not disclose the information they receive from the IRS to nonaffiliated third\n         parties.\nAlso, limited testing showed that IVES Program participants may be altering Forms 4506-T after\ntaxpayers sign the forms.\nThe IRS has significant controls over e-file Providers that submit tax returns and taxpayer\ninformation to the IRS, but controls are limited for IVES Program participants that receive\ntaxpayer information from the IRS. Taxpayers need to be assured that the IRS is taking every\nprecaution to protect their tax return information. This includes, but is not limited to, processing\ntaxpayer requests for transcripts. IVES Program participants can obtain and collect large\nquantities of personally identifiable information and associated taxpayer income information that\ncould be at risk for identity theft.11\n\n\n\n\n10\n   An authorized IRS e-file Provider is a business or organization authorized by the IRS to participate in IRS e-file.\nIt may be a sole proprietorship, partnership, corporation, or other entity. Applicants accepted for participation in\nIRS e-file are Authorized IRS e-file Providers.\n11\n   Identity theft occurs when someone uses personally identifiable information, such as an individual\xe2\x80\x99s name, Social\nSecurity Number, credit card numbers, or other personal information, to commit fraud and other crimes.\n                                                                                                              Page 6\n\x0c                      The Income Verification Express Services Program Needs\n                       Improvements to Better Protect Tax Return Information\n\n\n\nThe IRS does not set minimum requirements or conduct suitability tests on the\nIVES Program applicants\nE-file Provider applicants must meet program requirements and suitability checks in order to\nsubmit tax returns to the IRS. See Figure 2 for the types of e-file Providers.\n                      Figure 2: Types of Authorized IRS E-File Providers\n\n       Electronic Return         Electronic Return Originators originate the electronic submission of\n       Originator                tax returns to the IRS.\n\n       Intermediate Service      Intermediate Service Providers assist with processing tax return\n       Providers                 information between Electronic Return Originators (or the taxpayer\n                                 in the case of Online Filing) and a Transmitter.\n\n       Online Providers          Online Providers allow taxpayers to self-prepare tax returns by\n                                 entering return data directly on commercially available software,\n                                 through software downloaded from an Internet site and prepared\n                                 offline, or through an online Internet site.\n\n       Reporting Agent           Reporting Agents originate the electronic submission of certain\n                                 returns for their clients, and/or transmit the returns to the IRS. A\n                                 Reporting Agent must be an accounting service, franchiser, bank,\n                                 or other similar entity,\n\n       Software Developers       Software Developers write either origination or transmission\n                                 software according to the IRS e-file specifications.\n\n       Transmitters              Transmitters send electronic return data directly to the IRS.\n                                 Electronic Return Originators and Reporting Agents may apply to\n                                 be Transmitters and transmit return data themselves, or they may\n                                 contract with an accepted third-party Transmitter that can transmit\n                                 the data for them.\n\n   Source: IRS e-file Application and Participation (Publication 3112).\n\nThe requirements and suitability checks for the e-file Provider Program state applicants must be:\n   \xe2\x80\xa2     A United States citizen or legal resident alien.\n   \xe2\x80\xa2     21 years of age as of the date of the application.\nSuitability checks may include:\n   \xe2\x80\xa2     Criminal background check.\n   \xe2\x80\xa2     Credit history check.\n\n\n\n                                                                                                        Page 7\n\x0c                    The Income Verification Express Services Program Needs\n                     Improvements to Better Protect Tax Return Information\n\n\n\n   \xe2\x80\xa2   Tax compliance check to ensure all required tax returns are filed and paid and to identify\n       fraud and preparer penalties.\nThe IRS also verifies the status of e-file Provider applicants who submit professional\ncertifications in lieu of a fingerprint card to ensure they are still in good standing with the\nparticular organizations that issued the certifications.\nIRS contractors must also meet minimum standards and submit fingerprints for a background\ninvestigation before the IRS will share taxpayer information with them. In addition to the\nbackground investigation, an individual who will have access to taxpayer information must be\nFederal tax compliant, a United States citizen or have lawful permanent resident status, and\nregistered with the Selective Service (for males born after 1959).\nHowever, IVES Program participants meet no minimum requirements and the IRS verifies only\nan applicant\xe2\x80\x99s name, Social Security Number, and date of birth. It does not conduct any\nsuitability tests (e.g., criminal background checks or tax compliance checks).\n\nIVES Program participants are not always covered by laws that protect taxpayer\ninformation\nMost IVES Program participants are not covered by the same disclosure laws as tax return\npreparers. Internal Revenue Code Section 7216 states that any person engaged in the business of\npreparing tax returns and who knowingly or recklessly discloses information in connection with\nthe preparation of tax returns or uses any of the information for any purpose other than to prepare\na tax return shall be guilty of a misdemeanor. Upon conviction, the preparer shall be fined not\nmore than $1,000 and/or imprisoned not more than 1 year.\nDisclosure provisions for tax information in the Gramm-Leach-Bliley Act cover lenders, but it\nprovides exceptions for disclosure when lenders are servicing or processing a financial product\nor service that an individual requests (such as a mortgage loan). Lenders may share loan\ninformation, including tax information, with third parties unless the borrower specifically\nrequests the lender not do so.\nThere are no laws that specifically apply to Income Verification Specialists unless they are\nworking on behalf of an entity covered by an existing law or regulation. For example, the\nGramm-Leach-Bliley Act applies to Income Verification Specialists if they work on behalf of a\nlender and there is a contractual agreement between both parties. In this case, the lender is\nresponsible for specifying the data security safeguards against threats or hazards that the Income\nVerification Specialists must follow and monitor how they handle taxpayer information.\nA review of a list of IVES Program participants showed that there were 1,695 participants in the\nIVES Program as of August 2010. From the information the IRS retains on IVES participants,\nwe could not determine if the participants would come under one of the laws that prevent\ndisclosure of taxpayer information. The IRS does not require applicants to provide the purpose\n\n                                                                                                  Page 8\n\x0c                        The Income Verification Express Services Program Needs\n                         Improvements to Better Protect Tax Return Information\n\n\n\nof their participation in the IVES Program. The Form 13803 requests names, contact\ninformation, and Social Security Numbers, but when asked for the Social Security Numbers for\nthe participants, the IRS was unable to provide them to us during our fieldwork.\nIn November 2009, the Department of the Treasury announced e-signature12 guidelines for the\nHome Affordable Modification Program and provided guidance on the methodology for using\nelectronic signatures to complete the process. The only document in the package that borrowers\ncannot electronically sign under Treasury guidelines is the Form 4506-T. The IRS\xe2\x80\x99s inability to\nimplement an e-signature program for Forms 4506-T within the lending industry is an indirect\nresult of the vulnerabilities of the IVES Program. In contrast with e-signatures accepted from\ne-file Providers who are screened, IRS management is not prepared to accept the risk of\nreceiving e-signatures from IVES Program participants because they have not been subjected to\nthe same requirements.\n\nPrior to November 2009, the IVES Program did not require participants to agree to\nany rules, conditions, or terms that provide safeguards over tax information\nForm 13803 (November 2009) provides IVES Program applicants with the following:\n         We are now offering a Transcript Delivery System (TDS) bulk upload process which allows you to\n         create a text file for submission of multiple requests on one spreadsheet. Please mark this box if\n         you wish to utilize the TDS bulk upload feature.\n             By marking this box, you agree to review Publication 4557, Safeguarding Taxpayer Data, and\n          to abide by the guidelines of the publication.\n\nThe prior version of Form 13803, dated September 2006, did not include these statements.\nSafeguarding Taxpayer Data (Publication 4557) provides guidelines on establishing safeguards\nfor IVES Program applicants:\n     \xe2\x80\xa2    Preserve the confidentiality and privacy of taxpayer data by restricting access and\n          disclosure.\n     \xe2\x80\xa2    Protect the integrity of taxpayer data by preventing improper or unauthorized\n          modification or destruction.\n     \xe2\x80\xa2    Maintain the availability of taxpayer data by providing timely and reliable access and\n          data recovery.\nHowever, Publication 4557 only restricts disclosure of taxpayer information, but does not\nprohibit it. In addition, at the time of this audit, the November 2009 version had not been posted\non IRS.gov; therefore, there is no assurance that any applicants are aware of these requirements\nor are following them.\n\n12\n  An e-signature is an electronic process attached to or associated with a contract or other record and used as the\nlegal equivalent of a written signature.\n                                                                                                              Page 9\n\x0c                       The Income Verification Express Services Program Needs\n                        Improvements to Better Protect Tax Return Information\n\n\n\nThe Social Security Administration has an extensive User Agreement for its Consent-Based\nSocial Security Number Verification (CBSV) Program that:\n     \xe2\x80\xa2   Details Program use.\n     \xe2\x80\xa2   Restricts the use of information provided.\n     \xe2\x80\xa2   States how CBSV Program participants should conduct annual compliance reviews.\n     \xe2\x80\xa2   Outlines participants\xe2\x80\x99 responsibilities.\nThe CBSV Program is a fee and consent-based Social Security Number verification service\navailable to, among others, private companies.13 Participating companies can use the CBSV\nProgram to verify if a name and Social Security Number combination match the data in the\nSocial Security Administration\xe2\x80\x99s records. For each Social Security Number and name\ncombination submitted to the CBSV Program, the\nSocial Security Administration confirms that the\n                                                                  When the Social Security\nsubmission either matches or does not match Social          Administration releases information\nSecurity Administration records.                                to program subscribers, the\n                                                                            recipients may use it only for\nSimilar to Form 4506-T transcript requests sent to the        reasons specified by the taxpayer.\nIRS, the CBSV Program requires the written consent              The IRS does not make similar\nof the Social Security Number holder before it will         restrictions for taxpayer information.\nprovide the requestor with information. However, the\nSocial Security Administration allows only the\nrequesting party to use the information they receive for the reason for which the Social Security\nNumber holder specifies on the consent form.\nThe IRS does not include a space on either Form 4506-T or Form 4506T-EZ for taxpayers to\nspecify the reason for disclosure or limit the use of the Forms for that use. The IRS does provide\na warning to taxpayers on the Forms 4506-T that states the following:\n     If the transcript or tax information is to be mailed to a third party (such as a mortgage company),\n               enter the third party\xe2\x80\x99s name, address, and telephone number. The IRS has no\n                        control over what the third party does with the tax information.\n\nThe Social Security Administration states that noncompliance with the User Agreement may be\ngrounds for suspension or dismissal from the CBSV Program. The only cause for suspension\nlisted when applying for the IVES Program is failure to timely pay fees. The suspension lasts\nuntil such time that the participant pays all outstanding invoices in full. While e-Services\nreserves the right to deny users access to any electronic services, products, and/or applications if\nthe IRS becomes aware of misuse or abuse, such misuses (for example, the submission of a\nrecycled or altered Form 4506-T) are not defined.\n\n13\n   To use the CBSV Program, users must pay a one-time, nonrefundable enrollment fee of $5,000 and then a\ntransaction fee per Social Security Number verification request. The transaction fee is currently $5.00 per request,\nand users must pay the fee in advance.\n                                                                                                            Page 10\n\x0c                      The Income Verification Express Services Program Needs\n                       Improvements to Better Protect Tax Return Information\n\n\n\nLimited tests showed some Forms 4506-T may be altered after the taxpayers signed them.\nA limited review of completed IVES Program transcript requests identified faxed copies on\nwhich the third party presumably used a sticker to complete line 5 on the Form 4506-T. Line 5\nasks for third-party information if the IRS is to mail the transcript to a third party. Because of\nthis, we were unable to determine if the taxpayers signed the Form 4506-T with another third\nparty\xe2\x80\x99s name in line 5 and the company subsequently covered line 5 with a sticker. The IRS\xe2\x80\x99s\nInternet instructions instruct IVES Program participants to insert the company\xe2\x80\x99s name and\naddress on line 5 after the taxpayers have completed and signed the Form.\n\n                 IRS Internet Instructions for Completing Form 4506-T\n                       Have the taxpayer complete and sign Form 4506-T\n                       according to the instructions provided with the form. On\n                       line 5 (designation of a third party to whom the transcript is\n                       to be delivered) insert your company\xe2\x80\x99s name, address,\n                       facsimile number, and the delegate\xe2\x80\x99s user-ID for secure\n                       mailbox delivery.\n\n\nAs we have reported, the IRS continues to implement improvements to its e-file Provider\nProgram controls to ensure only authorized providers participate in the e-file Provider Program.14\nThe IRS should now ensure that IVES Program participants are also subject to similar controls.\nIt should also ensure that IVES Program participants, like those in the Social Security\nAdministration\xe2\x80\x99s CBSV Program, are required to maintain electronic security over taxpayer data\nand are prohibited from disclosing information they receive from the IRS on behalf of taxpayers\nand lenders.\nUnauthorized disclosure of tax return information puts taxpayers at risk for improper use of their\ninformation, including identity theft. Identity theft occurs when someone uses personally\nidentifiable information, such as an individual\xe2\x80\x99s name, Social Security Number, credit card\nnumbers, or other account information, to commit fraud and other crimes. Taxpayers need to be\nassured that the IRS is taking every precaution to protect their tax return information. This\nincludes, but is not limited to, processing taxpayers\xe2\x80\x99 requests for transcripts. IVES Program\nparticipants, most of whom may be lenders and/or Income Verification Specialists, obtain and\ncollect large quantities of personally identifiable information and taxpayer income information\nthat is vulnerable to disclosure if controls are not sufficient to protect it.\n\n\n\n\n14\n  Better Screening and Monitoring of E-File Providers Is Needed to Minimize the Risk of Unscrupulous Providers\nParticipating in the E-File Program (Reference Number 2007-40-176, dated September 19, 2007).\n                                                                                                       Page 11\n\x0c                     The Income Verification Express Services Program Needs\n                      Improvements to Better Protect Tax Return Information\n\n\n\nRecommendations\nThe Commissioner, Wage and Investment Division, should:\nRecommendation 1: Develop and enforce minimum requirements for the IVES Program that\nwould help ensure participants are suitable to have a working relationship with the IRS and\nreceive taxpayer information from the IVES program.\n        Management\xe2\x80\x99s Response: The IRS agreed to explore minimum requirements for\n        IVES participants, including background investigations and tax compliance checks.\nRecommendation 2: Update Form 13803 to include a statement that taxpayer information\ncan only be used for the purpose the taxpayer/requestor intended. Ensure the current version of\nForm 13803 is provided to all applicants, is posted on IRS.gov, and is the only version accepted.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It will revise\n        Form 13803 as requested. The IRS will ensure the current version of Form 13803 is\n        provided to all IVES applicants and is posted on IRS.gov. It will also accept only the\n        most current version from applicants.\nRecommendation 3: Within 1 year of revising Form 13803, contact and obtain a completed\nForm 13803 from all current IVES Program participants.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Once it\n        revises the Form 13803, the IRS will contact all current IVES Program participants and\n        obtain a current version of the form.\nRecommendation 4: Revise Forms 4506-T and 4506T-EZ to allow taxpayers to limit lending\ninstitutions\xe2\x80\x99 disclosure of their tax return information to nonaffiliated third parties only if it is in\nthe course of processing or selling their loan.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Tax\n        Forms and Publications function will work closely with IRS Chief Counsel to develop the\n        necessary language.\n\n\n\n\n                                                                                               Page 12\n\x0c                       The Income Verification Express Services Program Needs\n                        Improvements to Better Protect Tax Return Information\n\n\n\n                                                                                                  Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate regulations and IVES enrollment policies\nthat ensure lenders, such as banks, and companies that specialize in making third-party requests\nfor lenders (Income Verification Specialists1) properly protect taxpayers\xe2\x80\x99 tax return information.\nTo accomplish our objective, we:\nI.      Determined how current regulations, laws, and IRS policies could be amended or\n        modified to ensure third parties and lenders properly protect taxpayers\xe2\x80\x99 tax return\n        information from improper disclosure or theft.\n        A. Talked to representatives from the Department of the Treasury\xe2\x80\x99s Office of the\n           Comptroller of Currency to identify current laws and regulations addressing the\n           protection of tax return information by lenders and Income Verification Specialists.\n        B. Discussed with IRS management the risks associated with sending tax return\n           information to third parties and lenders.\n        C. Identified changes or additions to current laws and regulations (or the need for a new\n           law or regulation) that would reduce the risk of third parties and lenders improperly\n           using or disclosing tax return information as well as ensuring the data are protected\n           from theft.\nII.     Determined how the IRS could strengthen IVES Program enrollment policies to ensure\n        third parties adequately protect tax return information from improper disclosure or theft.\n        A. Determined if the IRS requires IVES Program participants to meet specific standards\n           for disclosure and security requirements.\n        B. Identified and evaluated the potential security requirements for IVES Program\n           participants, especially third parties and lenders, which would help prevent identity\n           theft2 and improper disclosure of tax return information.\nIII.    Determined if third parties and lenders are improperly using Request for Transcript of\n        Tax Return (Form 4506-T) or a Short Form Request for Individual Tax Return Transcript\n\n\n\n1\n  An Income Verification Specialist is a company that specializes in obtaining income information about individuals.\nLenders often use them to verify the income of loan applicants.\n2\n  Identity theft occurs when someone uses personally identifiable information, such as an individual\xe2\x80\x99s name, Social\nSecurity Number, credit card numbers, or other personal information, to commit fraud and other crimes.\n                                                                                                          Page 13\n\x0c                       The Income Verification Express Services Program Needs\n                        Improvements to Better Protect Tax Return Information\n\n\n\n         (Form 4506T-EZ) by reusing or resubmitting altered copies of the forms to request\n         updated information from the IRS.\n         A. Obtained a list of IVES Program participants and reviewed the Transcript Delivery\n            System3 to determine which participants are lenders or third parties who specialize in\n            providing tax return information to lenders.\n         B. Reviewed 391 hard copy Forms 4506-T at the Kansas City, Missouri, IVES Program\n            location to determine if we could identify instances of alterations, post-dating by third\n            parties, or forms submitted after 120 days of signature.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IRS policies, procedures, and practices\nfor helping to ensure the people to whom it is sending large amounts of taxpayer information will\nappropriately protect it. We evaluated these controls by performing the steps previously noted.\n\n\n\n\n3\n  The Transcript Delivery System automates the validation, processing, and delivery of taxpayer information to\ntaxpayers or authorized third parties. The Transcript Delivery System can be accessed by IRS employees and\nincludes self-service electronic communication, whereby the user can request and receive a transcript interactively\nthrough the e-Services portal.\n                                                                                                            Page 14\n\x0c                  The Income Verification Express Services Program Needs\n                   Improvements to Better Protect Tax Return Information\n\n\n\n                                                                             Appendix II\n\n                 Major Contributors to This Report\n\nMichael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account\nServices)\nAugusta R. Cook, Director\nWilma Figueroa, Audit Manager\nKenneth Carlson, Lead Auditor\nPamela M. DeSimone, Senior Auditor\nPatricia A. Jackson, Senior Auditor\n\n\n\n\n                                                                                    Page 15\n\x0c                 The Income Verification Express Services Program Needs\n                  Improvements to Better Protect Tax Return Information\n\n\n\n                                                                       Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nDeputy Chief Information Officer for Strategy/Modernization OS:CTO\nDeputy Commissioner of Operations, Wage and Investment Division SE:W\nDeputy Commissioner of Services, Wage and Investment Division SE:W\nDirector, Privacy, Information Protection, and Data Security OS:P\nDirector, Customer Account Services SE:W:CAS\nDirector, Submission Processing SE:W:CAS:SP\nDirector, Electronic Products and Services Support, Wage and Investment Division\nSE:W:CAS:E:PSS\nChief Counsel CC\nChief, Program Evaluation and Improvement, Wage and Investment Division SE:W:S:PRA:PEI\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief, Program Evaluation and Improvement, Wage and Investment Division\nSE:W:S:PRA:PEI\n\n\n\n\n                                                                               Page 16\n\x0c     The Income Verification Express Services Program Needs\n      Improvements to Better Protect Tax Return Information\n\n\n\n                                                  Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 17\n\x0cThe Income Verification Express Services Program Needs\n Improvements to Better Protect Tax Return Information\n\n\n\n\n                                                    Page 18\n\x0cThe Income Verification Express Services Program Needs\n Improvements to Better Protect Tax Return Information\n\n\n\n\n                                                    Page 19\n\x0cThe Income Verification Express Services Program Needs\n Improvements to Better Protect Tax Return Information\n\n\n\n\n                                                    Page 20\n\x0c'